I’ve been extra busy lately trying to close things out before taking a much needed break. This will be the first set of days I’ve taken off this year, believe it or not. I didn’t realize that until I had a minute to sit and think about it. A few more Azure Sentinel workshop sessions and I’ll be purposely having idle brain time for a few days before the Thanksgiving holiday. Man…I love this time of year!
Anyway…between workshop sessions and other miscellaneous Azure Sentinel goodness yesterday, I worked with a customer to connect their Crowdstrike environment to Azure Sentinel. I’m not going to go through all the details, but suffice to say, the process was easy. And, here’s what you need to know to do it yourself.
Crowdstrike offers a Falcon SIEM connector add-on. The add-on does cost extra, but check your contract – you may already be paying for it and not realize it.
The Falcon SIEM Connector is deployed on-premises on a system with running either CentOS or RHEL 6.x-7.x.
The architecture looks like the following:
After downloading the connector, the following blog post by Crowdstrike works wonders for the setup. Pay particular attention to the flow diagram in the blog post of how to pick the right configuration and configure the files.
Once you dig through and follow the instructions in the blog post, you’ll then need to download the SIEM Connector Feature Guide for additional configuration steps – including filtering/parsing (requires a customer login).
SIEM Connector Feature Guide (requires a customer login)
P.S. This information should be added to the Azure Sentinel master connector list soon.